Running Bridge for Active Directory (Fusion as source)


Options



Before You Begin

Purpose

This tutorial shows you how to use the Bridge for Active Directory to synchronize user accounts between Oracle Fusion Applications and Active Directory. Fusion Applications is configured as the source of truth.

Time to Complete

Approximately 90 minutes

Background

The Bridge for Active Directory is a java client application (referred to as “the client” in this document) that can be used to synchronize users and groups/roles between the Oracle Fusion Applications (FA) and Active Directory (AD). User synchronization is required for setting up Single Sign-On (SSO) between Oracle Fusion Applications and Active Directory

The client synchronizes information between a source and a target

  • The Source, also called the Source of Truth, refers to the system that contains the user and role information that will be copied to the target.
  • The Target is the system that will be updated to contain the same user and role information as the Source.

In this exercise you will do the following

  • Configure the client so that Fusion Applications will be the source and Active Directory will be the target.
  • Create user accounts in Fusion Applications
  • Synchronize these user accounts with Active Directory
  • Log into Fusion Applications using Single Sign-On

What Do You Need?

  • You will need to enable Single Sign-On between Fusion Applications and your Active Directory Instance. Details can be found here( Fusion Applications Technology: Master Note on Fusion Federation (Doc ID 1484345.1))
  • A computer running the Windows operating system with Java Runtime Environment (JRE) installed. The client can be run on JRE versions 6,7, and 8. Ensure that this computer can connect to your Active Directory server

Configure Bridge for Active Directory

Setup Connection Information


  1. Sign in to Oracle Fusion Applications with an account that has the "IT Security Manager" role.

  2. Click on the Navigator icon.

    Access Navigator
  3. Click on the Security Console menu option.

  4. Click on the Administration tab.

  5. Click on Bridge for Active Directory.

  6. Go to Configuration tab

  7. Expand the Base Configuration section

    • Set Source of Truth to "Oracle Fusion Applications"
    • Enter a password in Reset APPID Password. This password will be used by the client to connect to Fusion Applications
    • Accept defaults for the remaining fields
    • Base Configuration
  8. Expand the Active Directory Configuration section.

    • Enter the host name and Port Number for your Active Directory Server

    • Check the Enable SSL box if needed.

    • Set the User Base DN field to the Distinguished Name of the location in your Active Directory where user accounts will be created by the Client

    • Set the Search Base DN field to the same value as the User Base DN
    • Set the "User Search" filter to an LDAP query that will be used to fetch user accounts from your Active Directory server

      • e.g. (&(objectClass=user)(!(objectClass=computer))).
    Active Directory Configuration
  9. Click Save.

  10. Click OK on the Confirmation popup.

Download Bridge for Active Directory

You will now download the client to the computer which has access to your Active Directory Server

  1. Click on Launch to download the client.

    Download Client
  2. Click OK on the message - Launch Bridge for Active Directory. This will download the client installer (jnlp file)

  3. Launch the downloaded file from your browser

  4. Enter the Fusion Application credentials to log in to Fusion Applications

    • Use an account which has the "IT Security Manager" role
    • Upon successfully logging in, the client will be installed.
    Client Login
  5. Click on Run to launch the client.

    • Log in again using the account that has the "IT Security Manager" role
    • Upon successfully logging in, the client will be installed.
    Run Client
  6. Click on the Configuration tab

    • Under Active Directory, enter the username and password to connect to your Active Directory server
    • Under Oracle Fusion Applications, enter the APPID password, you created in the previous section
    • Click Save
    Configure Client
  7. The client will now synchronize setup information from Active Directory to Fusion applications

    • Click OK

Map Fusion Applications attributes to Active Directory attributes

You will now complete the configuration in the Security Console
  1. Click on User Attribute Mappings.

  2. Click Add.

  3. Map Fusion Application attribute to an Active Directory attribute - as needed.

    Map an attribute
  4. Repeat steps 2 and 3 for as many mappings as required.

    • A typical mapping looks as follows
    • Source (FA) Target (AD)
      email.value mail
      username cn
      displayName displayName
      name.familyName sn
      name.givenName givenName
      userName userPrincipalName
      userName sAMAccountName
  5. Click Save
  6. Click OK on the confirmation popup.

Perform initial synchronization of users

You will now synchronize the existing users in Fusion Apllications to Active Directory
  1. Go to the Synchronization tab on the client.

  2. Click Run Now.

    Initial Synchronization

Configure policies for user name generation

Enable user name generation for persons


  1. Sign in to Oracle Fusion Applications with an account that has a administrative privileges

  2. Click on the Navigator.

  3. Click on Setup and Maintenance.

  4. Enter Manage Enterprise HCM Information in the search text box and click the search icon.

    Manage Enterprise Information
  5. Click on the Manage Enterprise HCM task.

  6. Click the Edit button and select Correct.

  7. Expand the User and Role Provisioning Information section.

    • Set User Account Creation to "Both person and party users"

    • Set User Account Role Provisioning to "Both person and party users"

    • Set User Account Maintenance to "Both person and party users"

    • User and Role Provisioning
  8. Click the Submit button.

  9. Click Yes on the Warning pop-up message.

  10. Click OK on the Confirmation message.

  11. Click Done.

Set user name format

  1. Click on the Navigator icon.

  2. Click on the Security Console menu option.

  3. Click on the Administration tab.

  4. Click on the General tab.

  5. Under User Preferences, set Generation Rule to FirstName.LastName.

  6. Username Format

Synchronize a newly created person to Active Directory - Oracle HCM Cloud

Use this section only if you create persons using the Oracle HCM Cloud

Hire an employee

  1. Sign in to Oracle HCM Cloud with an account that has a role that allows you to create Persons

  2. Click on the Navigator.

  3. Click on New Person.

  4. Click on the Panel Drawer on the right

  5. Click on Hire Employee

    Hire Employee
  6. Fill the required fields for Identification.

    • Enter Hire Date, Hire Action, Hire Reason, Legal Employer

    • Enter Last Name, First Name (e.g. Fielding, Victor)

    • Enter any other mandatory fields configured in your environment

    Identification
  7. Click Next.
  8. Fill the required fields for Person Information.

    • Enter Home Address

    • Create an email with the following attributes

      • Primary - Checked
      • Type - Work E-mail
      • Email -victor.fielding@acme.com
    • Enter any other mandatory fields configured in your environment

    Person Information
  9. Click Next.
  10. Fill the required fields for Employment Information.

    • Enter Business Unit, Assignment Status

    • Assignment Information
    • Enter Manager Name, Manager Type

    • Manager Information
    • Enter any other mandatory fields configured in your environment

  11. Click Next.
  12. Click Next.
  13. Click Submit.
  14. Click Yes on the Warning popup.
  15. Click OK at the Confirmation popup.

Confirm that a user account has been created for the Person

  1. Sign in to Oracle Fusion Applications with an account that has the "IT Security Manager" role.

  2. Select the Navigator menu

  3. Click on Security Console.

  4. Click on the User Accounts tab

  5. Search for the newly created User Account to confirm that it is created. The account will be FirstName.LastName (e.g. Victor.Fielding)

    User Account Search

Synchronize user accounts

Run the client to synchronize the newly created Fusion Applications account to Active Directory

  1. Click on the Synchronization tab. Click Run Now

    Synchronize Users

Confirm that a user account is created in Active Directory

  1. On your Active Directory server, launch Active Directory Users and Computers

  2. Search for the newly created account e.g. Victor Fielding

    Search AD User
  3. Confirm that all mapped attribute values are synchronized


    Account Attributes 1

    Account Attributes 2
  4. Perform necessary administrative actions on this newly created account in Active Directory

    • Set up the account password
    • Enable the account

Log into Fusion Applications

  1. Access your Fusion Applications homepage

    • If SSO is set up, you will be redirected to your Active Directory login page
  2. Log into Active Directory using the Active Directory credentials that were set up in the previous step

  3. Upon successful login, you will be automatically redirected to the Fusion Applications homepage

Synchronize a newly created person to Active Directory - Oracle Sales Cloud. Oracle ERP Cloud

Use this section only if you create persons through Oracle Sales Cloud or Oracle ERP Cloud.

Manage Users

  1. Sign in to Oracle Fusion Applications with an account that has a role that allows you to create Persons

  2. Click on the Navigator.

  3. Click on Manage Users.

  4. Click on the + icon to create a new person

    Manage Users
  5. Enter information about the person

    • Enter Last Name, First Name (e.g. Shandling, Michael), Email

    • Set Person Type to Employee

    • Select Legal Employer, Business Unit

    Person Details
    • Click Autoprovision Roles

    • Autoprovision Roles
  6. Click on Save and Close.

Confirm that a user account has been created for the Person

  1. Sign in to Oracle Fusion Applications with an account that has the "IT Security Manager" role.

  2. Select the Navigator menu

  3. Click on Security Console.

  4. Click on the User Accounts tab.

  5. Search for the newly created User Account to confirm that it is created. (e.g Michael.Shandling)

    Search User Accounts

Synchronize user accounts

Run the client to synchronize the newly created Fusion Applications account to Active Directory

  1. Click on the Synchronization tab. Click Run Now

    Synchronize Users

Confirm that a user account is created in Active Directory

  1. On your Active Directory server, launch Active Directory Users and Computers

  2. Search for the newly created account e.g. Michael Shandling

    Search AD User
  3. Confirm that all mapped attribute values are synchronized


    Account Attributes 1

    Account Attributes 2
  4. Perform necessary administrative actions on this newly created account in Active Directory

    • Set up the account password
    • Enable the account

Log into Fusion Applications

  1. Access your Fusion Applications homepage

    • If SSO is set up, you will be redirected to your Active Directory login page
  2. Log into Active Directory using the Active Directory credentials that were set up in the previous step

  3. Upon successful login, you will be automatically redirected to the Fusion Applications homepage